CVE-2024-43834

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.50

Description The issue arises from the invalid wait context of page pool destroy() when a driver uses a page pool and XDP (eXpress Data Path). The page pool create() function creates a page pool with a default reference count of 1. When the driver uses XDP, it registers a memory model with xdp rxq info reg mem model(), which increases the page pool reference count to 2 if the memory model is a page pool. To destroy the page pool, the driver must call both page pool destroy() and xdp unreg mem model(). However, if page pool destroy() is called before xdp unreg mem model(), it results in an invalid wait context warning because xdp unreg mem model() calls page pool destroy() with rcu read lock(), while page pool destroy() internally acquires mutex lock().

The problem is fixed by using rhashtable lookup fast() instead of rhashtable lookup() with rcu read lock(). The xa is freed by xdp mem allocator rcu free(), which is called by call rcu() of mem xa remove(). The mem xa remove() is called by page pool destroy() when the reference count reaches 0. Since xa is already protected by the reference count mechanism in the control plane, removing rcu read lock() for page pool destroy() is safe.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.50 or later. For versions prior to 6.6.50, ensure that page pool destroy() and xdp unreg mem model() are called in the correct order to avoid the invalid wait context warning. If possible, consider disabling the use of XDP or the page pool destroy() function until the update can be applied.